Making Compliance Part of the "IT DNA"

By Tom Schmidt

For today's enterprises, meeting the requirements of a variety of technical standards, IT governance frameworks, and laws related to security and administration have become a significant challenge. And as numerous industry experts have observed, the pressure to demonstrate compliance with such mandates will likely increase in 2007.

Today's compliance market is similar to the security market of the mid-1990s. Security used to be an afterthought. Companies built their networks and their IT infrastructure without very much thought of security. Once threats and vulnerabilities began to rise in the late '90s, the need for security was better understood. So security got bolted on, and today security is very much engrained in the IT fabric. Compliance is evolving the same way. In most cases, IT infrastructure, processes, and operations weren't built with compliance in mind. But with an increasing regulatory environment, companies have had to adapt very quickly. So today compliance is bolted on, but in the near future policy compliance will become part of the IT DNA.

A "top of mind" issue
Compliance is now a "top of mind" issue for enterprise customers, who are eager to reduce the cost and complexity associated with regulatory compliance through automation.

Software can be used to automate repetitive manual processes. More software equals fewer people, which in turn equals lower costs.

That equation appears to be underscored by the latest (2006) Ernst & Young Global
Information Security Survey, which found:

• The impact of compliance continues to grow.
• Compliance is promoting teaming between information and other functional business groups.
• Compliance is improving information security.

The IT Policy Compliance Group's benchmark report (February 2006), which examined differences between leaders and so-called "laggards" in achieving compliance. According to the report, the three major drivers of performance results in achieving IT compliance are:

• Frequency of internal audit and IT security monitoring Leaders audit for compliance on a continuous basis, at least once a month.
• Time allocated by IT to compliance Leaders are spending 50% more time on compliance than laggards.
• Spending on IT security Leaders spend 10% of the IT budget on IT security, while laggards spend less than 7% on IT security.

Conclusion
With high-profile data breaches and regulatory pressures showing no signs of diminishing, enterprises have a vital role to play in educating employees about the importance of good IT compliance and governance. For these organizations, policy compliance can truly become part of the IT DNA.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.